Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

‘CamuBot’ Banking Malware Ups the Trojan Game with Biometric Bypass

Brazilian bank customers are being warned of malware dubbed CamuBot that hides in plain sight and presents itself as a required end-user security module provided by a bank.

The malware goes so far as to include bank logos that look and feel as if they’re part of a real security application. In some cases, the malware can also hijack one-time passwords used for biometric authentication.

In a report by IBM X-Force released Tuesday, researchers said CamuBot was first spotted in August 2018 in a targeted attack against business-class banking customers. The name, CamuBot, was given to the malware because it attempts to camouflage itself as bonafide branded security software.

“The malware’s operators are actively using [CamuBot] to target companies and public-sector organizations, mixing social engineering and malware tactics to bypass strong authentication and security controls,” said Limor Kessem, a global executive security advisor with IBM Security, in a technical breakdown of the attacks posted Tuesday.

Distribution of the malware is believed to be highly individualized. “It is very possible that [the threat actors] gather information [on potential targets] from local phone books, search engines or professional social networks to get to people who own a business or would have the business’ bank account credentials,” Kessem wrote.

Once a target is defined, the attackers pose as bank employees via phone calls, and instruct victims to visit a specific URL to verify that their “security module” is up-to-date. The fake verification site will then indicate a fake “required update” for the supposed security software. Next, victims are told to close all running programs, and to download and install the malicious software using the Windows admin profile.

“At this point, a fake application that features the bank’s logos starts downloading. Behind the scenes, CamuBot gets fetched and executed on the victim’s device,” the researcher said. “The name of the file and the URL it is downloaded from change in every attack.”

As the attacker is on the phone with the victim, “a pop-up screen redirects the victim to a phishing site purporting to be their bank’s online banking portal,” Kessem explained. Victims are instructed to log into their account via the fake site maintained by the attacker. Once accomplished, the victim has shared their banking credentials with the attacker.

Outsmarting Biometric Hardware Protections

In some circumstances, such as the presence of biometric authentication or other strong authentication hardware attached to the targeted PC, CamuBot goes the extra mile. “The malware can fetch and install a driver for that device,” researchers said.

To perform this type of authentication end-run, attackers take advantage of the malware’s advanced features. That includes CamuBot creating new firewall and antivirus rules to make sure the malware is a trusted program. Communication is then established with the adversary’s command-and-control via an SSH-based SOCKS proxy. Next, port forwarding is enabled and used “in a two-way tunneling of application ports from the client’s device to the server,” researcher said.

“The tunnel allows attackers to direct their own traffic through the infected machine and use the victim’s IP address when accessing the compromised bank account,” she said.

Now, CamuBot asks the victim to install remote access to their USB-connected device.

“Trusting that they are speaking to a bank representative, the victim may authorize the access, not knowing that by sharing access to the connected device they can allow the attacker to intercept one-time passwords generated for authentication purposes,” Kessem wrote. “If the same remote sharing is authorized by a duped user, they could unknowingly compromise their biometric authentication.”

“CamuBot is more sophisticated than the common remote-overlay type malware used in Brazil in its M. O. (modus operandi) and fraud tactics. Instead of simplistic fake screens and a remote access tool, CamuBot tactics resemble those used by Eastern European-made malware,” she said.

Kessem said CamuBot is most similar to Europe-based TrickBot, Dridex and QakBot, which target business banking and leverage social engineering for account and device takeover.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.